Versions Compared

Version Old Version 2 New Version Current
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Current File(s): authn/authn.properties (V4.1+)
Format: Properties, Native Spring, Properties (V4.1+)

Table of Contents

Overview

...

Expand
titleProperties

The properties specific to this flow defined in authn/authn.properties are:

Name

Default

Description

idp.authn.X509Internal.saveCertificateToCredentialSet

true

Whether to save the certificate into the Subject's public credential set. Disable to reduce the size if not relying on the certificate for subject c14n.

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.X509Internal.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.X509Internal.nonBrowserSupported

true

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.X509Internal.passiveAuthenticationSupported

false

Whether the flow allows for passive authentication

idp.authn.X509Internal.forcedAuthenticationSupported

false

Whether the flow supports forced authentication

idp.authn.X509Internal.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.X509Internal.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.X509Internal.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.X509Internal.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.X509Internal.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.X509Internal.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.X509Internal.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.X509Internal.subjectDecorator

Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.X509Internal.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.X509Internal.addDefaultPrincipals

true

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

idp.authn.X509Internal.c14n.flows 5.2

Comma-delimited list of c14n methods (beans) to run after use of this login flow

As a non-password based flow, the supportedPrincipals property defaults to the following XML:

Code Block
languagexml
<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
    <bean parent="shibboleth.SAML1AuthenticationMethod"
        c:method="urn:ietf:rfc:2246" />
</list>

In property form, this is expressed as (note the trailing commas):

Code Block
idp.authn.X509Internal.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
    saml1/urn:ietf:rfc:2246
Expand
titleFlow Descriptor XML

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAuthenticationFlows">
 
    <bean p:id="authn/X509Internal" parent="shibboleth.AuthenticationFlow"
            p:order="%{idp.authn.X509Internal.order:1000}"
            p:nonBrowserSupported="%{idp.authn.X509Internal.nonBrowserSupported:false}"
            p:passiveAuthenticationSupported="%{idp.authn.X509Internal.passiveAuthenticationSupported:false}"
            p:forcedAuthenticationSupported="%{idp.authn.X509Internal.forcedAuthenticationSupported:false}"
            p:proxyRestrictionsEnforced="%{idp.authn.X509Internal.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
            p:proxyScopingEnforced="%{idp.authn.X509Internal.proxyScopingEnforced:false}"
            p:discoveryRequired="%{idp.authn.X509Internal.discoveryRequired:false}"
            p:lifetime="%{idp.authn.X509Internal.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
            p:inactivityTimeout="%{idp.authn.X509Internal.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
            p:reuseCondition-ref="#{'%{idp.authn.X509Internal.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:activationCondition-ref="#{'%{idp.authn.X509Internal.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:subjectDecorator-ref="#{getObject('%{idp.authn.X509Internal.subjectDecorator:}'.trim())}">
        <property name="supportedPrincipalsByString">
            <bean parent="shibboleth.CommaDelimStringArray"
                c:_0="#{'%{idp.authn.X509Internal.supportedPrincipals:}'.trim()}" />
        </property>
    </bean>
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V45, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

...